diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch | 61 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch | 96 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch | 28 | ||||
-rwxr-xr-x | meta/recipes-connectivity/openssh/openssh/run-ptest | 16 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/ssh_config | 14 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/sshd.service | 18 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/sshd.socket | 1 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 4 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/sshd_config | 17 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_9.7p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_8.4p1.bb) | 130 |
10 files changed, 285 insertions, 100 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch new file mode 100644 index 0000000000..8763f30f4b --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mikko Rapeli <mikko.rapeli@linaro.org> | ||
3 | Date: Mon, 11 Sep 2023 09:55:21 +0100 | ||
4 | Subject: [PATCH] regress/banner.sh: log input and output files on error | ||
5 | |||
6 | Some test environments like yocto with qemu are seeing these | ||
7 | tests failing. There may be additional error messages in the | ||
8 | stderr of ssh cloent command. busybox cmp shows this error when | ||
9 | first input file has less new line characters then second | ||
10 | input file: | ||
11 | |||
12 | cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in | ||
13 | |||
14 | Logging the full banner.out will show what other error messages | ||
15 | are captured in addition of the expected banner. | ||
16 | |||
17 | Full log of a failing banner test runs is: | ||
18 | |||
19 | run test banner.sh ... | ||
20 | test banner: missing banner file | ||
21 | test banner: size 0 | ||
22 | cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in | ||
23 | banner size 0 mismatch | ||
24 | test banner: size 10 | ||
25 | test banner: size 100 | ||
26 | cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in | ||
27 | banner size 100 mismatch | ||
28 | test banner: size 1000 | ||
29 | test banner: size 10000 | ||
30 | test banner: size 100000 | ||
31 | test banner: suppress banner (-q) | ||
32 | FAIL: banner | ||
33 | return value: 1 | ||
34 | |||
35 | See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 | ||
36 | |||
37 | Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] | ||
38 | |||
39 | Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> | ||
40 | --- | ||
41 | regress/banner.sh | 4 +++- | ||
42 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
43 | |||
44 | diff --git a/regress/banner.sh b/regress/banner.sh | ||
45 | index a84feb5a..de84957a 100644 | ||
46 | --- a/regress/banner.sh | ||
47 | +++ b/regress/banner.sh | ||
48 | @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do | ||
49 | verbose "test $tid: size $s" | ||
50 | ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ | ||
51 | cmp $OBJ/banner.in $OBJ/banner.out ) || \ | ||
52 | - fail "banner size $s mismatch" | ||
53 | + ( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \ | ||
54 | + verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \ | ||
55 | + fail "banner size $s mismatch" ) | ||
56 | done | ||
57 | |||
58 | trace "test suppress banner (-q)" | ||
59 | -- | ||
60 | 2.34.1 | ||
61 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch new file mode 100644 index 0000000000..f079d936a4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Jolly <Matt.Jolly@footclan.ninja> | ||
3 | Date: Thu, 2 Feb 2023 21:05:40 +1100 | ||
4 | Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` | ||
5 | |||
6 | This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> | ||
7 | patch based on Jakub Jelen's <jjelen@redhat.com> original patch | ||
8 | |||
9 | Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56] | ||
10 | |||
11 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
12 | --- | ||
13 | configure.ac | 24 ++++++++++++++++++++++++ | ||
14 | sshd.c | 13 +++++++++++++ | ||
15 | 2 files changed, 37 insertions(+) | ||
16 | |||
17 | diff --git a/configure.ac b/configure.ac | ||
18 | index 82e8bb7..d1145d3 100644 | ||
19 | --- a/configure.ac | ||
20 | +++ b/configure.ac | ||
21 | @@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) | ||
22 | AC_SUBST([K5LIBS]) | ||
23 | AC_SUBST([CHANNELLIBS]) | ||
24 | |||
25 | +# Check whether user wants systemd support | ||
26 | +SYSTEMD_MSG="no" | ||
27 | +AC_ARG_WITH(systemd, | ||
28 | + [ --with-systemd Enable systemd support], | ||
29 | + [ if test "x$withval" != "xno" ; then | ||
30 | + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) | ||
31 | + if test "$PKGCONFIG" != "no"; then | ||
32 | + AC_MSG_CHECKING([for libsystemd]) | ||
33 | + if $PKGCONFIG --exists libsystemd; then | ||
34 | + SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` | ||
35 | + SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` | ||
36 | + CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" | ||
37 | + SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" | ||
38 | + AC_MSG_RESULT([yes]) | ||
39 | + AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) | ||
40 | + SYSTEMD_MSG="yes" | ||
41 | + else | ||
42 | + AC_MSG_RESULT([no]) | ||
43 | + fi | ||
44 | + fi | ||
45 | + fi ] | ||
46 | +) | ||
47 | + | ||
48 | # Looking for programs, paths and files | ||
49 | |||
50 | PRIVSEP_PATH=/var/empty | ||
51 | @@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" | ||
52 | echo " Solaris process contract support: $SPC_MSG" | ||
53 | echo " Solaris project support: $SP_MSG" | ||
54 | echo " Solaris privilege support: $SPP_MSG" | ||
55 | +echo " systemd support: $SYSTEMD_MSG" | ||
56 | echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" | ||
57 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | ||
58 | echo " BSD Auth support: $BSD_AUTH_MSG" | ||
59 | diff --git a/sshd.c b/sshd.c | ||
60 | index b4f2b97..6820a41 100644 | ||
61 | --- a/sshd.c | ||
62 | +++ b/sshd.c | ||
63 | @@ -88,6 +88,10 @@ | ||
64 | #include <prot.h> | ||
65 | #endif | ||
66 | |||
67 | +#ifdef HAVE_SYSTEMD | ||
68 | +#include <systemd/sd-daemon.h> | ||
69 | +#endif | ||
70 | + | ||
71 | #include "xmalloc.h" | ||
72 | #include "ssh.h" | ||
73 | #include "ssh2.h" | ||
74 | @@ -308,6 +312,10 @@ static void | ||
75 | sighup_restart(void) | ||
76 | { | ||
77 | logit("Received SIGHUP; restarting."); | ||
78 | +#ifdef HAVE_SYSTEMD | ||
79 | + /* Signal systemd that we are reloading */ | ||
80 | + sd_notify(0, "RELOADING=1"); | ||
81 | +#endif | ||
82 | if (options.pid_file != NULL) | ||
83 | unlink(options.pid_file); | ||
84 | platform_pre_restart(); | ||
85 | @@ -2093,6 +2101,11 @@ main(int ac, char **av) | ||
86 | } | ||
87 | } | ||
88 | |||
89 | +#ifdef HAVE_SYSTEMD | ||
90 | + /* Signal systemd that we are ready to accept connections */ | ||
91 | + sd_notify(0, "READY=1"); | ||
92 | +#endif | ||
93 | + | ||
94 | /* Accept a connection and return in a forked child */ | ||
95 | server_accept_loop(&sock_in, &sock_out, | ||
96 | &newsock, config_s); | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch deleted file mode 100644 index b88bc18f12..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Tucker <dtucker@dtucker.net> | ||
3 | Date: Fri, 20 Nov 2020 13:37:54 +1100 | ||
4 | Subject: [PATCH] Add new pselect6_time64 syscall on ARM. | ||
5 | |||
6 | This is apparently needed on armhfp/armv7hl. bz#3232, patch from | ||
7 | jjelen at redhat.com. | ||
8 | --- | ||
9 | sandbox-seccomp-filter.c | 3 +++ | ||
10 | 1 file changed, 3 insertions(+) | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | [fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33] | ||
14 | |||
15 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
16 | index e0768c063..5065ae7ef 100644 | ||
17 | --- a/sandbox-seccomp-filter.c | ||
18 | +++ b/sandbox-seccomp-filter.c | ||
19 | @@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { | ||
20 | #ifdef __NR_pselect6 | ||
21 | SC_ALLOW(__NR_pselect6), | ||
22 | #endif | ||
23 | +#ifdef __NR_pselect6_time64 | ||
24 | + SC_ALLOW(__NR_pselect6_time64), | ||
25 | +#endif | ||
26 | #ifdef __NR_read | ||
27 | SC_ALLOW(__NR_read), | ||
28 | #endif | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest index ae03e929b2..b2244d725a 100755 --- a/meta/recipes-connectivity/openssh/openssh/run-ptest +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest | |||
@@ -4,8 +4,22 @@ export TEST_SHELL=sh | |||
4 | export SKIP_UNIT=1 | 4 | export SKIP_UNIT=1 |
5 | 5 | ||
6 | cd regress | 6 | cd regress |
7 | |||
8 | # copied from openssh-portable/.github/run_test.sh | ||
9 | output_failed_logs() { | ||
10 | for i in failed*.log; do | ||
11 | if [ -f "$i" ]; then | ||
12 | echo ------------------------------------------------------------------------- | ||
13 | echo LOGFILE $i | ||
14 | cat $i | ||
15 | echo ------------------------------------------------------------------------- | ||
16 | fi | ||
17 | done | ||
18 | } | ||
19 | trap output_failed_logs 0 | ||
20 | |||
7 | sed -i "/\t\tagent-ptrace /d" Makefile | 21 | sed -i "/\t\tagent-ptrace /d" Makefile |
8 | make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ | 22 | make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \ |
9 | | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' | 23 | | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' |
10 | 24 | ||
11 | SSHAGENT=`which ssh-agent` | 25 | SSHAGENT=`which ssh-agent` |
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config index e0d023803e..cb2774a163 100644 --- a/meta/recipes-connectivity/openssh/openssh/ssh_config +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ | 1 | # $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $ |
2 | 2 | ||
3 | # This is the ssh client system-wide configuration file. See | 3 | # This is the ssh client system-wide configuration file. See |
4 | # ssh_config(5) for more information. This file provides defaults for | 4 | # ssh_config(5) for more information. This file provides defaults for |
@@ -17,11 +17,11 @@ | |||
17 | # list of available options, their meanings and defaults, please see the | 17 | # list of available options, their meanings and defaults, please see the |
18 | # ssh_config(5) man page. | 18 | # ssh_config(5) man page. |
19 | 19 | ||
20 | Host * | 20 | Include /etc/ssh/ssh_config.d/*.conf |
21 | ForwardAgent yes | 21 | |
22 | ForwardX11 yes | 22 | # Host * |
23 | # RhostsRSAAuthentication no | 23 | # ForwardAgent no |
24 | # RSAAuthentication yes | 24 | # ForwardX11 no |
25 | # PasswordAuthentication yes | 25 | # PasswordAuthentication yes |
26 | # HostbasedAuthentication no | 26 | # HostbasedAuthentication no |
27 | # GSSAPIAuthentication no | 27 | # GSSAPIAuthentication no |
@@ -36,7 +36,6 @@ Host * | |||
36 | # IdentityFile ~/.ssh/id_ecdsa | 36 | # IdentityFile ~/.ssh/id_ecdsa |
37 | # IdentityFile ~/.ssh/id_ed25519 | 37 | # IdentityFile ~/.ssh/id_ed25519 |
38 | # Port 22 | 38 | # Port 22 |
39 | # Protocol 2 | ||
40 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc | 39 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc |
41 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com | 40 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com |
42 | # EscapeChar ~ | 41 | # EscapeChar ~ |
@@ -46,3 +45,4 @@ Host * | |||
46 | # VisualHostKey no | 45 | # VisualHostKey no |
47 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | 46 | # ProxyCommand ssh -q -W %h:%p gateway.example.com |
48 | # RekeyLimit 1G 1h | 47 | # RekeyLimit 1G 1h |
48 | # UserKnownHostsFile ~/.ssh/known_hosts.d/%k | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service new file mode 100644 index 0000000000..3e570ab1e5 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service | |||
@@ -0,0 +1,18 @@ | |||
1 | [Unit] | ||
2 | Description=OpenSSH server daemon | ||
3 | Wants=sshdgenkeys.service | ||
4 | After=sshdgenkeys.service | ||
5 | After=nss-user-lookup.target | ||
6 | |||
7 | [Service] | ||
8 | Environment="SSHD_OPTS=" | ||
9 | EnvironmentFile=-/etc/default/ssh | ||
10 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd | ||
11 | ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS | ||
12 | ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID | ||
13 | KillMode=process | ||
14 | Restart=on-failure | ||
15 | RestartSec=42s | ||
16 | |||
17 | [Install] | ||
18 | WantedBy=multi-user.target | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket index 8d76d62309..7dd2ed0626 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.socket +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket | |||
@@ -1,6 +1,7 @@ | |||
1 | [Unit] | 1 | [Unit] |
2 | Conflicts=sshd.service | 2 | Conflicts=sshd.service |
3 | Wants=sshdgenkeys.service | 3 | Wants=sshdgenkeys.service |
4 | After=nss-user-lookup.target | ||
4 | 5 | ||
5 | [Socket] | 6 | [Socket] |
6 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd | 7 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd |
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys index 1931dc7153..606d1894b5 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys | |||
@@ -6,6 +6,7 @@ generate_key() { | |||
6 | local DIR="$(dirname "$FILE")" | 6 | local DIR="$(dirname "$FILE")" |
7 | 7 | ||
8 | mkdir -p "$DIR" | 8 | mkdir -p "$DIR" |
9 | rm -f ${FILE}.tmp | ||
9 | ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE | 10 | ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE |
10 | 11 | ||
11 | # Atomically rename file public key | 12 | # Atomically rename file public key |
@@ -56,8 +57,7 @@ while true ; do | |||
56 | esac | 57 | esac |
57 | done | 58 | done |
58 | 59 | ||
59 | HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") | 60 | HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ') |
60 | [ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" | ||
61 | 61 | ||
62 | for key in ${HOST_KEYS} ; do | 62 | for key in ${HOST_KEYS} ; do |
63 | [ -f $key ] && continue | 63 | [ -f $key ] && continue |
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config index 15f061b570..e9eaf93157 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_config +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ | 1 | # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -10,6 +10,8 @@ | |||
10 | # possible, but leave them commented. Uncommented options override the | 10 | # possible, but leave them commented. Uncommented options override the |
11 | # default value. | 11 | # default value. |
12 | 12 | ||
13 | Include /etc/ssh/sshd_config.d/*.conf | ||
14 | |||
13 | #Port 22 | 15 | #Port 22 |
14 | #AddressFamily any | 16 | #AddressFamily any |
15 | #ListenAddress 0.0.0.0 | 17 | #ListenAddress 0.0.0.0 |
@@ -57,9 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
57 | #PasswordAuthentication yes | 59 | #PasswordAuthentication yes |
58 | #PermitEmptyPasswords no | 60 | #PermitEmptyPasswords no |
59 | 61 | ||
60 | # Change to yes to enable challenge-response passwords (beware issues with | 62 | # Change to yes to enable keyboard-interactive authentication (beware issues |
61 | # some PAM modules and threads) | 63 | # with some PAM modules and threads) |
62 | ChallengeResponseAuthentication no | 64 | KbdInteractiveAuthentication no |
63 | 65 | ||
64 | # Kerberos options | 66 | # Kerberos options |
65 | #KerberosAuthentication no | 67 | #KerberosAuthentication no |
@@ -73,13 +75,13 @@ ChallengeResponseAuthentication no | |||
73 | 75 | ||
74 | # Set this to 'yes' to enable PAM authentication, account processing, | 76 | # Set this to 'yes' to enable PAM authentication, account processing, |
75 | # and session processing. If this is enabled, PAM authentication will | 77 | # and session processing. If this is enabled, PAM authentication will |
76 | # be allowed through the ChallengeResponseAuthentication and | 78 | # be allowed through the KbdInteractiveAuthentication and |
77 | # PasswordAuthentication. Depending on your PAM configuration, | 79 | # PasswordAuthentication. Depending on your PAM configuration, |
78 | # PAM authentication via ChallengeResponseAuthentication may bypass | 80 | # PAM authentication via KbdInteractiveAuthentication may bypass |
79 | # the setting of "PermitRootLogin without-password". | 81 | # the setting of "PermitRootLogin without-password". |
80 | # If you just want the PAM account and session checks to run without | 82 | # If you just want the PAM account and session checks to run without |
81 | # PAM authentication, then enable this but set PasswordAuthentication | 83 | # PAM authentication, then enable this but set PasswordAuthentication |
82 | # and ChallengeResponseAuthentication to 'no'. | 84 | # and KbdInteractiveAuthentication to 'no'. |
83 | #UsePAM no | 85 | #UsePAM no |
84 | 86 | ||
85 | #AllowAgentForwarding yes | 87 | #AllowAgentForwarding yes |
@@ -92,7 +94,6 @@ ChallengeResponseAuthentication no | |||
92 | #PrintMotd yes | 94 | #PrintMotd yes |
93 | #PrintLastLog yes | 95 | #PrintLastLog yes |
94 | #TCPKeepAlive yes | 96 | #TCPKeepAlive yes |
95 | #UseLogin no | ||
96 | #PermitUserEnvironment no | 97 | #PermitUserEnvironment no |
97 | Compression no | 98 | Compression no |
98 | ClientAliveInterval 15 | 99 | ClientAliveInterval 15 |
diff --git a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb index 128e2e318a..36ffa49398 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb | |||
@@ -5,8 +5,8 @@ Ssh (Secure Shell) is a program for logging into a remote machine \ | |||
5 | and for executing commands on a remote machine." | 5 | and for executing commands on a remote machine." |
6 | HOMEPAGE = "http://www.openssh.com/" | 6 | HOMEPAGE = "http://www.openssh.com/" |
7 | SECTION = "console/network" | 7 | SECTION = "console/network" |
8 | LICENSE = "BSD & ISC & MIT" | 8 | LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT" |
9 | LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" | 9 | LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394" |
10 | 10 | ||
11 | DEPENDS = "zlib openssl virtual/crypt" | 11 | DEPENDS = "zlib openssl virtual/crypt" |
12 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | 12 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" |
@@ -16,6 +16,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
16 | file://ssh_config \ | 16 | file://ssh_config \ |
17 | file://init \ | 17 | file://init \ |
18 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 18 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
19 | file://sshd.service \ | ||
19 | file://sshd.socket \ | 20 | file://sshd.socket \ |
20 | file://sshd@.service \ | 21 | file://sshd@.service \ |
21 | file://sshdgenkeys.service \ | 22 | file://sshdgenkeys.service \ |
@@ -24,37 +25,46 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ | 25 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ |
25 | file://sshd_check_keys \ | 26 | file://sshd_check_keys \ |
26 | file://add-test-support-for-busybox.patch \ | 27 | file://add-test-support-for-busybox.patch \ |
27 | file://0f90440ca70abab947acbd77795e9f130967956c.patch \ | 28 | file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ |
29 | file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ | ||
28 | " | 30 | " |
29 | SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" | 31 | SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" |
32 | |||
33 | CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." | ||
30 | 34 | ||
31 | # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 | 35 | # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 |
32 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded | 36 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded |
33 | CVE_CHECK_WHITELIST += "CVE-2014-9278" | 37 | CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \ |
38 | Red Hat Enterprise Linux 7 and when running in a Kerberos environment" | ||
39 | |||
40 | CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries." | ||
34 | 41 | ||
35 | PAM_SRC_URI = "file://sshd" | 42 | PAM_SRC_URI = "file://sshd" |
36 | 43 | ||
37 | inherit manpages useradd update-rc.d update-alternatives systemd | 44 | inherit manpages useradd update-rc.d update-alternatives systemd |
38 | 45 | ||
39 | USERADD_PACKAGES = "${PN}-sshd" | 46 | USERADD_PACKAGES = "${PN}-sshd" |
40 | USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" | 47 | USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" |
41 | INITSCRIPT_PACKAGES = "${PN}-sshd" | 48 | INITSCRIPT_PACKAGES = "${PN}-sshd" |
42 | INITSCRIPT_NAME_${PN}-sshd = "sshd" | 49 | INITSCRIPT_NAME:${PN}-sshd = "sshd" |
43 | INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" | 50 | INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9" |
44 | 51 | ||
45 | SYSTEMD_PACKAGES = "${PN}-sshd" | 52 | SYSTEMD_PACKAGES = "${PN}-sshd" |
46 | SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" | 53 | SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" |
47 | 54 | ||
48 | inherit autotools-brokensep ptest | 55 | inherit autotools-brokensep ptest pkgconfig |
56 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" | ||
49 | 57 | ||
50 | PACKAGECONFIG ??= "rng-tools" | 58 | # systemd-sshd-socket-mode means installing sshd.socket |
59 | # and systemd-sshd-service-mode corresponding to sshd.service | ||
60 | PACKAGECONFIG ??= "systemd-sshd-socket-mode" | ||
61 | PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2" | ||
51 | PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" | 62 | PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" |
52 | PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" | 63 | PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" |
53 | PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" | 64 | PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" |
54 | PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" | 65 | PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" |
55 | 66 | PACKAGECONFIG[systemd-sshd-socket-mode] = "" | |
56 | # Add RRECOMMENDS to rng-tools for sshd package | 67 | PACKAGECONFIG[systemd-sshd-service-mode] = "" |
57 | PACKAGECONFIG[rng-tools] = "" | ||
58 | 68 | ||
59 | EXTRA_AUTORECONF += "--exclude=aclocal" | 69 | EXTRA_AUTORECONF += "--exclude=aclocal" |
60 | 70 | ||
@@ -66,10 +76,18 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ | |||
66 | --sysconfdir=${sysconfdir}/ssh \ | 76 | --sysconfdir=${sysconfdir}/ssh \ |
67 | --with-xauth=${bindir}/xauth \ | 77 | --with-xauth=${bindir}/xauth \ |
68 | --disable-strip \ | 78 | --disable-strip \ |
79 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \ | ||
69 | " | 80 | " |
70 | 81 | ||
71 | # musl doesn't implement wtmp/utmp and logwtmp | 82 | # musl doesn't implement wtmp/utmp and logwtmp |
72 | EXTRA_OECONF_append_libc-musl = " --disable-wtmp --disable-lastlog" | 83 | EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" |
84 | |||
85 | # Work around ICE on mips/mips64 starting in 9.6p1 | ||
86 | EXTRA_OECONF:append:mips = " --without-hardening" | ||
87 | EXTRA_OECONF:append:mips64 = " --without-hardening" | ||
88 | |||
89 | # Work around ICE on powerpc64le starting in 9.6p1 | ||
90 | EXTRA_OECONF:append:powerpc64le = " --without-hardening" | ||
73 | 91 | ||
74 | # Since we do not depend on libbsd, we do not want configure to use it | 92 | # Since we do not depend on libbsd, we do not want configure to use it |
75 | # just because it finds libutil.h. But, specifying --disable-libutil | 93 | # just because it finds libutil.h. But, specifying --disable-libutil |
@@ -82,20 +100,17 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" | |||
82 | # We don't want to depend on libblockfile | 100 | # We don't want to depend on libblockfile |
83 | CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" | 101 | CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" |
84 | 102 | ||
85 | do_configure_prepend () { | 103 | do_configure:prepend () { |
86 | export LD="${CC}" | 104 | export LD="${CC}" |
87 | install -m 0644 ${WORKDIR}/sshd_config ${B}/ | 105 | install -m 0644 ${UNPACKDIR}/sshd_config ${B}/ |
88 | install -m 0644 ${WORKDIR}/ssh_config ${B}/ | 106 | install -m 0644 ${UNPACKDIR}/ssh_config ${B}/ |
89 | } | 107 | } |
90 | 108 | ||
91 | do_compile_ptest() { | 109 | do_compile_ptest() { |
92 | # skip regress/unittests/ binaries: this will silently skip | 110 | oe_runmake regress-binaries regress-unit-binaries |
93 | # unittests in run-ptests which is good because they are so slow. | ||
94 | oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \ | ||
95 | regress/check-perm regress/mkdtemp | ||
96 | } | 111 | } |
97 | 112 | ||
98 | do_install_append () { | 113 | do_install:append () { |
99 | if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then | 114 | if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then |
100 | install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd | 115 | install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd |
101 | sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config | 116 | sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config |
@@ -121,15 +136,25 @@ do_install_append () { | |||
121 | echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | 136 | echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly |
122 | echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly | 137 | echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly |
123 | 138 | ||
124 | install -d ${D}${systemd_unitdir}/system | 139 | install -d ${D}${systemd_system_unitdir} |
125 | install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system | 140 | if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then |
126 | install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system | 141 | install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} |
127 | install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system | 142 | install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} |
143 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ | ||
144 | -e 's,@SBINDIR@,${sbindir},g' \ | ||
145 | -e 's,@BINDIR@,${bindir},g' \ | ||
146 | -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ | ||
147 | ${D}${systemd_system_unitdir}/sshd.socket | ||
148 | fi | ||
149 | if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then | ||
150 | install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir} | ||
151 | fi | ||
152 | install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} | ||
128 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ | 153 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ |
129 | -e 's,@SBINDIR@,${sbindir},g' \ | 154 | -e 's,@SBINDIR@,${sbindir},g' \ |
130 | -e 's,@BINDIR@,${bindir},g' \ | 155 | -e 's,@BINDIR@,${bindir},g' \ |
131 | -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ | 156 | -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ |
132 | ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service | 157 | ${D}${systemd_system_unitdir}/*.service |
133 | 158 | ||
134 | sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ | 159 | sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ |
135 | ${D}${sysconfdir}/init.d/sshd | 160 | ${D}${sysconfdir}/init.d/sshd |
@@ -140,41 +165,38 @@ do_install_append () { | |||
140 | do_install_ptest () { | 165 | do_install_ptest () { |
141 | sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh | 166 | sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh |
142 | cp -r regress ${D}${PTEST_PATH} | 167 | cp -r regress ${D}${PTEST_PATH} |
168 | cp config.h ${D}${PTEST_PATH} | ||
143 | } | 169 | } |
144 | 170 | ||
145 | ALLOW_EMPTY_${PN} = "1" | 171 | ALLOW_EMPTY:${PN} = "1" |
146 | 172 | ||
147 | PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" | 173 | PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" |
148 | FILES_${PN}-scp = "${bindir}/scp.${BPN}" | 174 | FILES:${PN}-scp = "${bindir}/scp.${BPN}" |
149 | FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" | 175 | FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" |
150 | FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" | 176 | FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" |
151 | FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" | 177 | FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" |
152 | FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" | 178 | FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" |
153 | FILES_${PN}-sftp = "${bindir}/sftp" | 179 | FILES:${PN}-sftp = "${bindir}/sftp" |
154 | FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" | 180 | FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" |
155 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" | 181 | FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" |
156 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" | 182 | FILES:${PN}-keygen = "${bindir}/ssh-keygen" |
157 | 183 | ||
158 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" | 184 | RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" |
159 | RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" | 185 | RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" |
160 | RRECOMMENDS_${PN}-sshd_append_class-target = "\ | ||
161 | ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ | ||
162 | " | ||
163 | |||
164 | # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies | 186 | # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies |
165 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" | 187 | RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin" |
166 | 188 | ||
167 | RPROVIDES_${PN}-ssh = "ssh" | 189 | RPROVIDES:${PN}-ssh = "ssh" |
168 | RPROVIDES_${PN}-sshd = "sshd" | 190 | RPROVIDES:${PN}-sshd = "sshd" |
169 | 191 | ||
170 | RCONFLICTS_${PN} = "dropbear" | 192 | RCONFLICTS:${PN} = "dropbear" |
171 | RCONFLICTS_${PN}-sshd = "dropbear" | 193 | RCONFLICTS:${PN}-sshd = "dropbear" |
172 | 194 | ||
173 | CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" | 195 | CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config" |
174 | CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" | 196 | CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config" |
175 | 197 | ||
176 | ALTERNATIVE_PRIORITY = "90" | 198 | ALTERNATIVE_PRIORITY = "90" |
177 | ALTERNATIVE_${PN}-scp = "scp" | 199 | ALTERNATIVE:${PN}-scp = "scp" |
178 | ALTERNATIVE_${PN}-ssh = "ssh" | 200 | ALTERNATIVE:${PN}-ssh = "ssh" |
179 | 201 | ||
180 | BBCLASSEXTEND += "nativesdk" | 202 | BBCLASSEXTEND += "nativesdk" |